Unauthenticated Remote Code Execution in n8n Workflow Automation Platform
CVE-2026-42228

6.3MEDIUM

Key Information:

Vendor: N8n-io
Status: N8n
Vendor: CVE Published:; 4 May 2026

What is CVE-2026-42228?

The n8n Workflow Automation Platform contains a vulnerability in the /chat WebSocket endpoint used by the Chat Trigger node's Hosted Chat feature. Versions prior to 1.123.32, 2.17.4, and 2.18.1 lack proper authorization checks for incoming connections. As a result, an unauthenticated remote attacker can identify a valid execution ID for a workflow that is waiting to be executed, potentially allowing them to attach to that execution and receive sensitive information intended for the legitimate user. Furthermore, the attacker can submit arbitrary input, thereby influencing or resuming the downstream workflow's behavior. This flaw has been resolved in the latest versions, underscoring the importance of updating to maintain the security of the system.

Affected Version(s)

n8n < 1.123.32 < 1.123.32

n8n >= 2.17.0, < 2.17.4 < 2.17.0, 2.17.4

n8n >= 2.18.0, < 2.18.1 < 2.18.0, 2.18.1

References

https://github.com/n8n-io/n8n/security/advisories/GHSA-f7...

x_refsource_CONFIRM

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 4, 2026
Vulnerability Reserved
Apr 25, 2026

CVE-2026-42228 Data

JSON

N8n-io

What is CVE-2026-42228?

Affected Version(s)

References

CVSS V4

Timeline